Satisnet Ltd, Basepoint Innovation Centre, 110 Butterfield Great Marlings, Luton, Bedfordshire, LU2 8DL enquiry@satisnet.co.uk
+44 (0) 1582 434320

Almost? Tales From Vault 7 - Part 1

Almost? Tales From Vault 7 - Part 1

Almost? Tales From Vault 7 - Part 1

Having already wrote my part 2 for the tales from vault 7 series a few weeks back I thought I was way ahead of this blogging malarkey, and understandably quite proud of myself… until Saturday (8/4/17).

“Why Saturday?!” I hear the thousands (probably millions) of you reading this blog entry1 screaming aloud…. And what’s more depressing is that there is good reason for you not to know – as the purported data leak from the NSA hasn’t be mentioned in any major mainstream media (as of 9/4/17).

A tweet from Edward Snowden first put me onto the data dump – I’ve redacted the link for legal purposes (as I don’t want my door kicked in for spreading stolen NSA malware.)

Edward Snowden

Shakily cloning the GIT repository, I started to rip through what was already available and attempt to determine the functionality of the scripts.2

1There’s a bit of British sarcasm for you. I must be the only guy who writes references for a blog post.
2Later commits to the GIT repo have included further information as to what exactly each script in the repository is associated with and guesses at what each repo uses.

FULL DISCLOSURE – My free SophosAV then began to go wild flagging malware until I disabled it. So if you’re planning on getting hands-on, you will definitely be downloading some malware you didn’t intend on receiving. Also bear in mind this is not me endorsing or condoning you downloading the git repo or the files. You do any of these actions at your own behest/responsibility.

This blog will provide a summarised content of the dump, an excerpt of the README in the git repository - which is a community effort to identify exactly which exploits have been leveraged and the functionality of the malware.3

Content4

Unknown

  • JACKLADDER
  • DAMPCROWD
  • ELDESTMYDLE
  • SUAVEEYEFUL
  • WATCHER
  • YELLOWSPIRIT

MISC

  • DITTLELIGHT (HIDELIGHT) unhide NOPEN window to run unix oracle db scripts
  • DUL shellcode packer
  • egg_timer execution delayer (equivalent to at)
  • ewok snmpwalk-like?
  • gr Web crontab manager? wtf. NSA are webscale dude
  • jackladderhelper simple port binder
  • magicjack DES implementation in Perl
  • PORKSERVER inetd-based server for the PORK implant
  • ri equivalent to rpcinfo
  • uX_local Micro X server, likely for remote management
  • ITIME Change Date/Time of a last change on a file of an unix filesystem

3I would reference the GIT repo here but that would really defeat the object of redacting it in Eds tweet.
4Accurate as of 13/4/17

Remote Code Execution

Solaris

  • CATFLAP Solaris 7/8/9 (SPARC and Intel) RCE (for a LOT of versions)
  • EASYSTREET/CMSEX and cmsd Solaris rpc.cmsdremote root
  • EBBISLAND/ELVISCICADA/snmpXdmid and frown: CVE-2001-0236, Solaris 2.6-2.9 - snmpXdmid Buffer Overflow
  • sneer: mibissa (Sun snmpd) RCE, with DWARF symbols :D
  • dtspcdx_sparc dtspcd RCE for SunOS 5. -5.8. what a useless exploit
  • TOOLTALK DEC, IRIX, or Sol2.6 or earlier Tooltalk buffer overflow RCE
  • VIOLENTSPIRIT RCE for ttsession daemon in CDE on Solaris 2.6-2.9 on SPARC and x86
  • EBBISLAND RCE Solaris 2.6 -> 2.10 Inject shellcode in vulnerable rpc service

Netscape Server

  • xp_ns-httpd NetScape Server RCE
  • nsent RCE for NetScape Enterprise server 4.1 for Solaris
  • eggbasket another NetScape Enterprise RCE, this time version 3.5, likely SPARC only

FTP Servers

  • EE proftpd 1.2.8 RCE, for RHL 7.3+/Linux, CVE-2011-4130? another reason not to use proftpd
  • wuftpd likely CVE-2001-0550

Web

  • ESMARKCONANT exploits phpBB remote command execution (2.0.11) CVE-2004-1315
  • ELIDESKEW Public known vulnerablity in SquirrelMail versions 1.4.0 - 1.4.7
  • ELITEHAMMER Runs against RedFlag Webmail 4, yields user nobody
  • ENVISIONCOLLISION RCE for phpBB (derivative)
  • EPICHERO RCE for Avaya Media Server
  • COTTONAXE RCE to retrieve log and information on LiteSpeed Web Server

Misc

  • calserver spooler RPC based RCE
  • EARLYSHOVEL RCE RHL7 using sendmail CVE-2003-0681CVE-2003-0694
  • ECHOWRECKER/sambal: samba 2.2 and 3.0.2a - 3.0.12-5 RCE (with DWARF symbols), for FreeBSD, OpenBSD 3.1, OpenBSD 3.2 (with a non-executable stack, zomg), and Linux. Likely CVE-2003-0201. There is also a Solaris version
  • ELECTRICSLIDE RCE (heap-overflow) in Squid, with a chinese-looking vector
  • EMBERSNOUT a remote exploit against Red Hat 9.0's httpd-2.0.40-21
  • ENGAGENAUGHTY/apache-ssl-linux Apache2 mod-ssl RCE (2008), SSLv2
  • ENTERSEED Postfix RCE, for 2.0.8 - 2.1.5
  • ERRGENTLE/xp-exim-3-remote-linux Exim remote root, likely CVE-2001-0690, Exim 3.22 - 3.35
  • EXPOSITTRAG exploit pcnfsd version 2.x
  • extinctspinash: Chili!Soft ASP stuff RCE? and Cobalt RaQ too?
  • KWIKEMART (km binary) RCE for SSH1 padding crc32 thingy (https://packetstormsecurity.com/files/24347/ssh1.crc32.txt.html)
  • prout (ab)use of pcnfs RPC program (version 2 only) (1999)
  • slugger: various printers RCE, looks like CVE-1999-0078
  • statdx Redhat Linux 6.0/6.1/6.2 rpc.statd remote root exploit (IA32)
  • telex Telnetd RCE for RHL? CVE-1999-0192?
  • toffeehammer RCE for cgiecho part of cgimail, exploits fprintf
  • VS-VIOLET Solaris 2.6 - 2.9, something related to XDMCP
  • SKIMCOUNTRY Steal mobile phone log data
  • SLYHERETIC_CHECKS Check if a target is ready for SLYHERETIC (not included)
  • EMPTYBOWL RCE for MailCenter Gateway (mcgate) - an application that comes with Asia Info Message Center mailserver; buffer overflow allows a string passed to popen() call to be controlled by an attacker; arbitraty cmd execute known to work only for AIMC Version 2.9.5.1
  • CURSEHAPPY Parser of CDR (Call Detail Records) (siemens, alcatel, other containing isb hki lhr files) probably upgrade of ORLEANSTRIDE
  • ORLEANSTRIDE Parser of CDR (Call Detail Records)

Anti-forensic

  • toast: wtmps editor/manipulator/querier
  • pcleans: pacctl manipulator/cleaner
  • DIZZYTACHOMETER: Alters RPM database when system file is changed so that RPM (>4.1) verify doesn't complain
  • DUBMOAT Manipulate utmp
  • Auditcleaner cleans up audit.log

Control

Iting HP-UX, Linux, SunOS

  • FUNNELOUT: database-based web-backdoor for vbulletin
  • hi UNIX bind shell
  • jackpop bind shell for SPARC
  • NOPEN Backdoor? A RAT or post-exploitation shell consisting of a client and a server that encrypts data using RC6 source** SunOS5.8
  • SAMPLEMAN / ROUTER TOUCH Clearly hits Cisco via some sort of redirection via a tool on port 2323... (thanks to @cynicalsecurity)
  • SECONDDATE Implant for Linux/FreeBSD/Solaris/JunOS
  • SHENTYSDELIGHT Linux keylogger
  • SIDETRACK implant used for PITCHIMPAIR
  • SIFT Implant for Solaris/Linux/FreeBSD
  • SLYHERETIC SLYHERETIC is a light-weight implant for AIX 5.1:-5.2 Uses Hide-in-Plain-Sight techniques to provide stealth.
  • STRIFEWORLD: Network-monitoring for UNIX, needs to be launched as root. Strifeworld is a program that captures data transmitted as part of TCP connections and stores the data in a memory for analysis. Strifeworld reconstructs the actual data streams and stores each session in a file for later analysis.
  • SUCTIONCHAR: 32 or 64 bit OS, solaris sparc 8,9, Kernel level implant - transparent, sustained, or realtime interception of processes input/output vnode traffic, able to intercept ssh, telnet, rlogin, rsh, password, login, csh, su, …
  • STOICSURGEON Rootkit/Backdoor Linux MultiArchi
  • INCISION Rootkit/Backdoor Linux Can be upgrade to StoicSurgeon(more recent version)

CnC

  • Seconddate_CnC: CnC for SECONDDATE
  • ELECTRICSIDE likely a big-fat-ass CnC
  • NOCLIENT Seems to be the CnC for NOPEN*
  • DEWDROP

Privesc

Linux

  • h: linux kernel privesc, old-day compiled hatorihanzo.c, do-brk() in 2.4.22 CVE-2003-0961
  • gsh: setreuid(0,0);execl("bash","/bin/bash")
  • PTRACE/FORKPTY/km3: linux kernel lpe, kmod+ptrace, CVE-2003-0127, (https://mjt.nysv.org/scratch/ptrace_exploit/km3.c)
  • EXACTCHANGE: NULL-deref based local-root, based on various sockets protocols, compiled in 2004, made public in 2005
  • ghost:statmon/tooltalk privesc?
  • elgingamble:
  • ESTOPFORBADE local root gds_inet_server for, Cobalt Linux release 6.0, to be used with complexpuzzle
  • ENVOYTOMATO LPE through bluetooth stack(?)
  • ESTOPMOONLIT Linux LPE
  • EPOXYRESIN Linux LPE

AIX

  • EXCEEDSALON-AIX privesc

Others

  • procsuid: setuid perl (yes, it's a real thing) privesc through unsanitized environnement variables. wtf dude
  • elatedmonkey: cpanel privesc (0day) using /usr/local/cpanel/3rdparty/mailman/. Creates mailman mailing list: mailman config_list
  • estesfox: logwatch privesc, old-day
  • evolvingstrategy: privesc, likely for Kaspersky Anti-virus (/sbin/keepup2date is kaspersky's stuff) (what is ey_vrupdate?)
  • eh OpenWebMail privesc
  • escrowupgrade cachefsd for solaris 2.6 2.7 sparc
  • ENGLANDBOGY local exploit against Xorg X11R7 1.0.1, X11R7 1.0, X11R6 6.9, Includes the following distributions: MandrakeSoft Linux 10.2, Ubuntu 5.0.4, SuSE Linux 10.0, RedHat Fedora Core5, MandrakeSoft Linux 2006.0. requires a setuid Xorg
  • endlessdonut: Apache fastcgi privesc
  • Some other interesting resources in this dump – ‘pitches’, here is detailed numerous websites listed along with code names for different types of malware. This would indicate that these are compromised servers which either serve malware to unwitting users or are the targets themselves of malware infection.

    Some of the epochs from the relevant resources inside this dump range from 1997 to 2011 – the latest being found in a export of Mozzilla bookmarks. From some of the miscellaneous items in this dump it looks as if the compromised host which yielded these resources was a test machine somewhere inside of NSA networks (this is PURELY speculation on my side though.)